On Thu, 2020-01-02 at 22:27 +0000, Paul Moore (pmoore2) via tboot-devel
wrote:
> I hope everyone had a nice holiday and is enjoying the new year thus
> far.
>
> As you've seen in the other thread, I'm playing around with different
> tboot/TXT policies and I have a question regarding tboot/VLP policies
> that can extend PCRs using something other than SHA1: at present
> tb_polgen seems limited to using SHA1, does anyone have any patches to
> use SHA256 (or another hash)?
To answer my own question, it appears that Lukasz added suppport in
549:ca935709d8a6 ("Add support for SHA256 in tb_polgen").
Lukasz, if I wanted to generate both SHA1 and SHA256 hashes for a TPM2
system, would I need to create two rules in the VLP? For example I do
the following now for the TXT/sig patches and PCR20:
# tb_polgen --add --num 0 --pcr 20 \
--hash pecoff pecoff.vlp
... but that only writes the SHA1 hash into PCR20, presumably I could do
the following to support both hashes?
# tb_polgen --add --num 0 --pcr 20 --alg sha1 \
--hash pecoff pecoff.vlp
# tb_polgen --add --num 0 --pcr 20 --alg sha256 \
--hash pecoff pecoff.vlp
-Paul
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
